Proxy FreeRADIUS Monitoring from LB F5

CALMELS, Thierry (SOGETI REGIONS SAS) thierry.calmels.external at airbus.com
Mon Dec 10 16:25:25 CET 2018


At my knowledge (I was not present at the beginning of project) the built-in proxy logic was not used, because it was not possible to trigger custom code and we are not able to manage realms regarding the constraints (NAS and RADIUS Solution migration).
The proxy handles a script perl which only forward requests to the RADIUS A and if the reply is a REJECT, next send back the request to the RADIUS B.

If you configure the proxy to reply to the F5 for local users, it should work.
=> How is possible to do it? 

KR
Thierry

-----Message d'origine-----
De : Freeradius-Users [mailto:freeradius-users-bounces+thierry.calmels.external=airbus.com at lists.freeradius.org] De la part de Alan DeKok
Envoyé : dimanche 9 décembre 2018 21:32
À : FreeRadius users mailing list
Objet : Re: Proxy FreeRADIUS Monitoring from LB F5

On Dec 9, 2018, at 2:17 PM, CALMELS, Thierry (SOGETI REGIONS SAS) <thierry.calmels.external at airbus.com> wrote:
> We have an infrastucture using freeRadius 3 (freeradius-3.0.13-8) on RHEL7.5.
> 
> The infrastructure implements in front a layer “PROXY RADIUS” (not based on proxy.conf usage – thus we are using a custom proxy logic).
> The infrastructure works as expected.
> 
> The architecture is as follow:
> 
> Client NAS --> LB BigIP F5 --> Proxy FreeRADIUS --> LB BigIP F5 --> BackEnd FreeRADIUS

  I'm not sure why you need two F5s, but OK.

> However we want to improve monitoring made by F5 in front of the layer proxy Radius.
> For that, we have configured a Radius profile on the F5, based on username/password declared in the /etc/raddb/users files.
> 
> healthcheckVIP   Auth-Type:=Accept, User-Password=="my_password "
> 
> Unfortunately, this configuration works only if the healthcheckVIP account is declared on the BackEnd FreeRADIUS!

  Only if you configure the proxy to send *all* traffic to the backend.

  If you configure the proxy to reply to the F5 for local users, it should work.  

> The account declared on Proxy is not taken in account.
> I didn’t find any solution/setting to block the radius request at layer proxy when the account is found and credentials confirmed.

  You didn't say how *else* you configured the server.  i.e. how did you configure it to proxy requests?

  You're not using proxy.conf, so what *are* you using?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.



More information about the Freeradius-Users mailing list